Wasting your time with things I find interesting, amusing, or enraging. Reinke does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations

CLOUD: LASTPASS earns confidence

A Note from LastPass41 LastPass : The last password you’ll have to remember by Amber Gott / 1d // keep unread // hideFacebookShare on Google PlusTwitterHootsuiteLinkedInHootsuiteBufferCustom Sharing Tool save for laterEvernoteSend to readabilityOneNoteAdd to InstapaperPocket +TAGLastPass is in part able to achieve the highest level of security for our users by looking to our community to challenge our technology.

In August 2013, a security researcher at UC Berkeley, Zhiwei Li, contacted us to responsibly disclose novel vulnerabilities with the LastPass bookmarklets (actively used by less than 1% of the user base) and One Time Passwords (OTPs). Zhiwei discovered one issue that could be exploited if a LastPass user utilized the bookmarklet on an attacking site, and another issue if the LastPass user went to an attacking site while logged into LastPass, and used their username to potentially create a bogus OTP.

Zhiwei only tested these exploits on dummy accounts at LastPass and we don’t have any evidence they were exploited by anyone beyond himself and his research team. The reported issues were addressed immediately, as confirmed by their team, and we let them publish their research before discussing it.

If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary.

Regarding the OTP attack, it is a “targeted attack”, requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack per user, activity which we have not seen. Even if this was exploited, the attacker would still not have the key to decrypt user data. If you’d like to check your current OTPs you can do so here: https://lastpass.com/otp.php

We appreciate that, as the most popular password manager in the world, we have an active, dedicated community that challenges us to be better and is committed to helping us improve the security of our service. Again, we thank Zhiwei and his team for their important research.

Regards,Joe & The LastPass Team

# – # – # – # – #

I trust them.

BUT, (and there is always a BIG butt), …

… no one has my bank password.

# – # – # – # – #

Share this:

Like this:

LikeLoading...

Related

This entry was posted on Saturday, July 19th, 2014 at 06:37 and is filed under CLOUD. You can follow any responses to this entry through the RSS 2.0 feed.
You can skip to the end and leave a response. Pinging is currently not allowed.

Post navigation

One Response to CLOUD: LASTPASS earns confidence

I know nothing about Last Pass beyond what you’ve written here John, but I *can* think of at least one thing in its favor: I’m sure many folks who use Google Chrome have routinely checked off the little boxes asking “Would you like Chrome to remember your password for this site?” and assumed that the passwords were being stored securely on your computers.

Welllll… they are … but only sorta. They’re nice ‘n tight on your computer, but if you go over into your Chrome menu area (that little icon with the three horizontal lines on the top right of your screen) and then proceed through about four or five easy little “click on the menu item ” steps, you’ll suddenly get to a quite easily accessible page where ALL of your passwords are sitting right out there in plain view with no encryption or special password needed to get at them AT ALL!

(I just found out about this recently… heck, might’ve even been from HERE, in which case I’m hauling coal to Newcastle.)

So something like Last Pass may actually be a lot *more* secure in some ways than what many folks may currently be unthinkingly using.